CJEU decision in dispute over IP addresses


The CJEU issued on the 19th of October, 2016, the long awaited decision in case C‑582/14 (Patrick Breyer Bundesrepublik Deutschland), which dealt with the issue whether dynamic IP addresses are personal data. It confirmed that they are, but under certain conditions which must be fullfiled.

In particular, the Court made a decision on the basis of a reference for a preliminary ruling. The request has been made in proceedings between Mr Patrick Breyer and the Bundesrepublik Deutschland (Federal Republic of Germany) concerning the registration and storage by the latter of the internet protocol address (‘IP address’) allocated to Mr Breyer when he accessed several internet sites run by German Federal institutions.

The questions which were addressed to the Court were the following:

(1)      Must Article 2(a) of Directive 95/46 … be interpreted as meaning that an internet protocol address (IP address) which an [online media] service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
(2)      Does Article 7(f) of [that directive] preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?’
Regarding the first question, it was firstly considered that a dynamic IP address does not constitute information relating to an ‘identified natural person’, since such an address does not directly reveal the identity of the natural person who owns the computer from which a website was accessed, or that of another person who might use that computer (Recital nr. 38). Nevertheless, it is clear from the wording of Article 2(a) of Directive 95/46 that an identifiable person is one who can be identified, directly or indirectly. This is the case of dynamic addresses which may be used to identify the user of a website, but on the basis of additional data. Those data are not held by the online media services provider, but by that user’s internet service provider. Therefore, this fact does not exclude that dynamic IP addresses registered by the online media services provider constitute personal data within the meaning of Article 2(a) of Directive 95/46 (Recital Nr. 44).

As a result, the answer to the first question was that: 

Article 2(a) of Directive 95/46 must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.

Furthermore, as regards the second question, the Court held that Article 7(f) of that directive precludes Member States from excluding, categorically and in general, the possibility of processing certain categories of personal data without allowing the opposing rights and interests at issue to be balanced against each other in a particular case. Thus, it held that Member States cannot definitively prescribe, for certain categories of personal data, the result of the balancing of the opposing rights and interests, without allowing a different result by virtue of the particular circumstances of an individual case. 

Particularly, the German Federal institutions, which provide online media services, according to the Court, may have a legitimate interest in ensuring, in addition to the specific use of their publicly accessible websites, the continued functioning of those websites. Thus, the storage of users’ data would be necessary to guarantee the security and continued proper functioning of the online media services that it makes accessible to the public, in particular, enabling cyber attacks known as ‘denial-of-service’ attacks, which aim to paralyse the functioning of the sites by the targeted and coordinated saturation of certain web servers with huge numbers of requests, to be identified and combated.